#766 closed defect (invalid)
ssl_protocols directive doesn't work in server context
| Reported by: | openid.yandex.ru/ptashgo | Owned by: | |
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | nginx-module | Version: | 1.8.x |
| Keywords: | Cc: | ||
| uname -a: | Linux localhost 3.13.0-43-generic #72-Ubuntu SMP Mon Dec 8 19:35:06 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux | ||
| nginx -V: |
nginx version: nginx/1.8.0
built by gcc 4.8.2 (Ubuntu 4.8.2-19ubuntu1) built with OpenSSL 1.0.1f 6 Jan 2014 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_spdy_module --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,--as-needed' --with-ipv6 |
||
Description
Documentation says that ssl_protocols valid contexts are: http, server but in fact it works only in http
Steps to reproduce:
- set ssl_protocols to TLSv1 TLSv1.1 TLSv1.2; inside server {}
- try to connect with sslv3 only option or test host with ssllabs
Change History (3)
comment:1 by , 9 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:2 by , 9 years ago
I think it worth be mentioned in documentation, because many people can be sure that everything is fine with their setup, but still vulnerable by POODLE for example
comment:3 by , 9 years ago
This has to be mentioned in the documentation. The documentation is not addressing this at all, which is missleading at the least. How should the user know?
Note:
See TracTickets
for help on using tickets.
The
ssl_protocolsdirective works fine in both http and server contexts, and you can test it as follows:server { listen 8000 ssl default_server; ssl_protocols SSLv3; } server { listen 8001 ssl default_server; ssl_protocols TLSv1; }Note the above example uses servers on distinct ports - this is an important point. The
ssl_protocolsdoesn't allow to change available protocols in virtual servers listening on the same address:port, as protocol have to be selected before nginx will be able to choose a virtual server to use.Some additional details can be found in the mailing list thread here:
http://mailman.nginx.org/pipermail/nginx/2014-October/045454.html
http://mailman.nginx.org/pipermail/nginx/2014-November/045738.html